Perform Post-Installation Tasks

Access Cisco DNA Center Using a Web Browser

Cisco DNA Center supports a web interface using the following HTTPS-enabled browsers:

Google Chrome—version 62.0 or later

Mozilla Firefox—version 54.0 or later

Log In to Cisco DNA Center For the First Time

After you have installed the DNA Center appliance, you can log into its web-based interface for the first time. You must use only supported HTTPS-enabled browsers when accessing DNA Center. For a list of supported browsers, see Access Cisco DNA Center Using a Web Browser.

When logging in for the first time as the system admin (super user), you will be asked to complete a first-time setup wizard that helps you enhance system security and complete basic setup tasks. Although you can skip each of the steps in the wizard, Cisco recommends that you complete all of them as indicated, so that your system is ready to go immediately.

Before You Begin

In order to complete the first-time setup wizard, you will need the following information:

A new password for the admin superuser. Resetting the admin superuser password is an important way to enhance operational security if, for example, personnel who will not be DNA Center users or administrators installed the DNA Center software.

The software EULA window appears. Click Next to accept the software End User License Agreement and continue.

Step 11

The Ready To Go! window appears. Click on any of the links displayed to start discovering devices and constructing your network hierarchy, or click Go to display the main DNA Center dashboard.

Integrate Cisco ISE With DNA Center

This release of DNA Center provides a mechanism to create a trusted communications link with Cisco Identity Services Engine (ISE) and permit the two applications to share data with one another in a secure manner. Once ISE is registered with DNA Center, any device ISE discovers, along with relevant configuration and other data, is pushed to DNA Center. Users can use either application to discover devices and then apply both DNA Center and ISE functions to them, as these devices will be exposed in both applications. DNA Center and ISE devices are all uniquely identified by their device names.

Similarly, DNA Center devices, as soon as they are provisioned and belong to a particular site in the DNA Center site hierarchy, are pushed to ISE. Any updates to a DNA Center device (such as changes to IP address, SNMP or CLI credentials, ISE shared secret, and so on) will flow to the corresponding device instance on ISE automatically. When a DNA Center device is deleted, it is removed from ISE as well.

Follow the steps below to integrate ISE with DNA Center.

Before You Begin

Before attempting to integrate ISE with Cisco DNA Center, be sure you have met the following pre-requisites:

You have deployed one or more ISE version 2.3 hosts on your network. If you have a multi-host ISE deployment, integrating with the ISE admin node is recommended.

The PxGrid service must be enabled on the ISE host with which you plan to integrate DNA Center. The procedure below explains how to enable this service.

The ISE admin node on which PxGrid is enabled must be reachable on the IP address of the eth0 interface of ISE from DNA Center.

The ISE node can reach the fabric underlay network via the appliance NIC.

The ISE node has SSH enabled

The ISE CLI and GUI user accounts must use the same username and password

The ISE admin node certificate must contain the ISE IP address or fully-qualified domain name (FQDN) in either the certificate subject name or the SAN.

The DNA Center system certificate must contain the DNA Center appliance IP or FQDN in either the certificate subject name or the SAN.

Step 1

Enable ISE Services on the ISE host, as follows:

Log into the ISE node with which you want to integrate.

Select Administration > Deployment.

Select the host name of the ISE node with which you will integrate and, under the General Settings tab, make sure the following boxes are checked: Enable SXP Service, Enable Passive Identity Service, and pxGrid.

Click Save.

Click the Profiling Configurationtab and ensure that (at a minimum) the following probes are selected: RADIUS, SNMPQUERY.

On the Settings - Authentication and Policy Servers page, click the large plus (+) icon to display the AAA settings .

Click the Cisco ISE slider to ensure that all of the ISE-related fields are shown.

Enter the ISE management IP address in the IP address field.

Enter the Shared Secret used to secure communications between your network devices and ISE.

Enter the corresponding ISE admin credentials in the Username and Password fields.

Enter the FQDN for the ISE node.

Enter the Subscriber Name (for example: dnacenter).

The SSH Key is optional and may be left blank.

Step 3

When you are finished populating these fields, click Update and wait for the server status to show as Active.

Step 4

Verify that ISE is connected to DNA Center and that the connection has subscribers, as follows:

Log into the ISE node.

Select Administration > pxGrid Services. You should see that a subscriber named dnac_194 is currently online.

If the subscriber status is Pending, select Total Pending Approval > Approve All Clients to approve this subscriber. The subscriber status should change to online.

Step 5

Verify that DNA Center is connected to ISE and that ISE SGT groups and devices are being pushed to DNA Center, as follows:

Log in to the DNA Center web-based GUI.

Click and then select System Settings.

Under the Cisco ISE panel, select the Configure Settings link.

On the Settings - Authentication and Policy Servers page, click the large plus (+) icon to display the AAA settings .

Verify that the status for the Cisco ISE AAA server is still Active.

Select Policy > Registry > Scalable Groups. You should see ISE SGT groups in the list of Scalable Groups.

Log Out of Cisco DNA Center

Follow the steps below to log out of the Cisco DNA Center web-based GUI interface.

For security reasons, we recommend that you log out whenever you complete a work session. If you do not log out yourself, DNA Center will log you out automatically after 30 minutes of inactivity.

Step 1

Click .

Step 2

Click Sign out. This ends your session and logs you out of DNA Center.

Reconfigure the Appliance Using the Wizard

If you need to reconfigure your appliance, you must use the configuration wizard to do so. You cannot use the Linux CLI to do this. Perform the steps in this procedure to change the DNA Center configuration wizard settings, including the external network settings, NTP server address, and/or password for the Linux maglev user. The external network settings that can be changed include:

Host IP address

DNS server

Default gateway

NTP servers

Static routes

Step 1

Using a Secure Shell (SSH) client, log into the DNA Center appliance.

Log in using the IP address that you specified using the configuration wizard, on port 2222.

The recommended IP address to enter for the SSH client is the IP address that you configured for the OOB management network adapter. Although you can use the IP of the port that connects the appliance to the enterprise network, you will lose your connection to the appliance the moment you reset that port's IP address.